CWNA Guide to Wireless LANs, Second Edition

1
CWNA Guide to Wireless LANs, Second Edition

• Chapter Eight
• Wireless LAN Security and Vulnerabilities

2
Objectives

• Define information security
• Explain the basic security protections for IEEE
  802.11 WLANs
• List the vulnerabilities of the IEEE 802.11
  standard
• Describe the types of wireless attacks that can
  be launched against a wireless network

3
Security Principles What is Information Security?

• Information security Task of guarding digital
  information
• Information must be protective -on the devices
  that store, manipulate, and transmit the
  information through products, people, and
  procedures.
• Information that must be protected are CIA
• Confidentiality
• Only authorized parties can view information
• Integrity
• Information is correct and unaltered
• Availability
• Authorized parties must be able to access at all
  times

4
Security Principles What is Information
Security?
5
Challenges of Securing Information

• Trends influencing increasing difficultly in
  information security
• Speed of attacks
• Sophistication of attacks
• Faster detection of weaknesses
• Day zero attacks
• Distributed attacks
• The many against one approach
• Impossible to stop attack by trying to identify
  and block source

6
Categories of Attackers

• Six categories of attackers
• Hackers - Not malicious expose security flaws,
  ethical attackers
• Crackers Violates system security with
  malicious intent
• Script kiddies- Break into computers to create
  damage
• Spies Hired to break in and steal information
• Employees-Unhappy employees that steal, damage
  and change information
• Cyber-terrorists- Steal, damage and change
  information for ideology or extreme beliefs

7
Security Attackers Profiles
8
Security Organizations

• Many security organizations exist to provide
  security information, assistance, and training
• Computer Emergency Response Team Coordination
  Center (CERT/CC)
• Forum of Incident Response and Security Teams
  (FIRST)
• InfraGard
• Information Systems Security Association (ISSA)
• National Security Institute (NSI)
• SysAdmin, Audit, Network, Security (SANS)
  Institute

9
Basic IEEE 802.11 Security Protections

• Data transmitted by a WLAN could be intercepted
  and viewed by an attacker
• Important that basic wireless security
  protections be built into WLANs
• Three categories of WLAN protections
• Access control
• Wired equivalent privacy (WEP)
• Authentication
• Some protections specified by IEEE, while others
  left to vendors

10
Access Control Security

• Intended to guard one of the CIAs
• Availability of information
• Wireless access control Limit users access to
  AP
• by Filtering MAC addresses
• Media Access Control (MAC) address filtering
  Based on a nodes unique MAC address
• Can be defeated by Spoofing a MAC address

11
Access Control Filtering

• MAC address filtering considered to be a basic
  means of controlling access
• Requires pre-approved authentication
• Difficult to provide temporary access for guest
  devices

12
Wired Equivalent Privacy (WEP)

• Guard the Confidentiality of CIA
• Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless
  transmissions
• Scrambling
• Cryptography Science of transforming information
  so that it is secure while being transmitted or
  stored
• scrambles data
• Encryption Transforming plaintext to ciphertext
• Decryption Transforming ciphertext to plaintext
• Cipher An encryption algorithm
• Given a key that is used to encrypt and decrypt
  messages
• Weak keys Keys that are easily discovered

13
WEP Cryptography
14
WEP Implementation

• IEEE 802.11 cryptography objectives
• Efficient
• Exportable
• Optional
• Reasonably strong
• Self-synchronizing
• WEP relies on secret key shared between a
  wireless device and the AP
• Same key installed on device and AP
• A form of Private key cryptography or symmetric
  encryption

15
WEP Symmetric Encryption
16
WEP Characteristics

• WEP shared secret keys must be at least 40 bits
• Most vendors use 104 bits
• Options for creating WEP keys
• 40-bit WEP shared secret key (5 ASCII characters
  or 10 hexadecimal characters)
• 104-bit WEP shared secret key (13 ASCII
  characters or 16 hexadecimal characters)
• Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four
  shared secret keys
• Default key one of the four stored keys
• Default key used for all encryption
• Default key can be different for AP and client

17
WEP Keys
- Key order must be the same for all devices -
Default Keys can be different for each device
18
WEP Encryption Process

• Step-1 CRC ( Text) ICV
• CRC Cyclic Redundancy Check ICV Integrity
  Check Value
• IV Initialization Vector 24-bit changes for
  each encryption
• Step-2 IV Secrete Key seed
• PRNG Pseudo-Random Number
• Step-3 PRNG (seed) Keystream
• Step-4 (TextICV) XOR (Keystream) Ciphertext
• Step-5 IV Ciphertext Transmission

A B XOR 0 0 0 1 0 1 0 1 1 1 1 0
19
WEP Stream Cipher

• When encrypted frame arrives at destination
• Receiving device separates IV from ciphertext
• Combines IV with appropriate secret key
• Create a keystream
• Keystream used to extract text and ICV
• Text run through CRC
• Ensure ICVs match and nothing lost in
  transmission
• Generating keystream using the PRNG is based on
  the RC4 cipher algorithm
• Stream Cipher

20
Authentication

• IEEE 802.11 authentication Process in which AP
  accepts or rejects a wireless device
• Open system authentication
• Wireless device sends association request frame
  to AP
• Carries info about supported data rates and
  service set identifier (SSID)
• AP compares received SSID with the network SSID
• If they match, wireless device authenticated
• Shared key authentication Uses WEP keys
• AP sends the wireless device the challenge text
• Wireless device encrypts challenge text with its
  WEP key and returns it to the AP
• AP decrypts returned result and compares to
  original challenge text
• If they match, device accepted into network

21
Vulnerabilities of IEEE 802.11 Security

• IEEE 802.11 standards security mechanisms for
  wireless networks have fallen short of their goal
• Vulnerabilities exist in
• Authentication
• Address filtering
• WEP

22
Open System Authentication Vulnerabilities

• Inherently weak
• Based only on match of SSIDs
• SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities
• Beaconing SSID is default mode in all APs
• Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
• SSID initially transmitted in plaintext
  (unencrypted)
• Vulnerabilities -If an attacker cannot capture an
  initial negotiation process, can force one to
  occur
• SSID can be retrieved from an authenticated
  device
• Many users do not change default SSID
• Several wireless tools freely available that
  allow users with no advanced knowledge of
  wireless networks to capture SSIDs

23
Open System Authentication Vulnerabilities
(continued)
24
Shared Secret Key Authentication Vulnerabilities

• Attackers can view key on an approved wireless
  device (i.e., steal it), and then use on own
  wireless devices
• Brute force attack Attacker attempts to create
  every possible key combination until correct key
  found
• Dictionary attack Takes each word from a
  dictionary and encodes it in same way as
  passphrase
• Compare encoded dictionary words against
  encrypted frame
• AP sends challenge text in plaintext
• Attacker can capture challenge text and devices
  response (encrypted text and IV)
• Mathematically derive keystream

25
Shared Secret Key Attacks
26
Address Filtering Vulnerabilities
27
WEP Vulnerabilities

• Uses 40 or 104 bit keys
• Shorter keys easier to crack
• WEP implementation violates cardinal rule of
  cryptography
• Creates detectable pattern for attackers
• APs end up repeating IVs
• Collision Two packets derived from same IV
• Attacker can use info from collisions to initiate
  a keystream attack

28
WEP XOR Operation
29
Capturing packets
30
WEP Attacks

• PRNG does not create true random number
• Pseudorandom
• First 256 bytes of the RC4 cipher can be
  determined by bytes in the key itself

31
Other Wireless Attacks Man-in-the-Middle Attack

• Makes it seem that two computers are
  communicating with each other
• Actually sending and receiving data with computer
  between them
• Active or passive

32
Other Wireless Attacks Man-in-the-Middle Attack
(continued)
Figure 8-16 Wireless man-in-the-middle attack
33
Other Wireless Attacks Denial of Service (DoS)
Attack

• Standard DoS attack attempts to make a server or
  other network device unavailable by flooding it
  with requests
• Attacking computers programmed to request, but
  not respond
• Wireless DoS attacks are different
• Jamming Prevents wireless devices from
  transmitting
• Forcing a device to continually dissociate and
  re-associate with AP

34
Summary

• Information security protects the
  confidentiality, integrity, and availability of
  information on the devices that store,
  manipulate, and transmit the information through
  products, people, and procedures
• Significant challenges in keeping wireless
  networks and devices secure
• Six categories of attackers Hackers, crackers,
  script kiddies, computer spies, employees, and
  cyberterrorists

35
Summary (continued)

• Three categories of default wireless protection
  access control, wired equivalent privacy (WEP),
  and authentication
• Significant security vulnerabilities exist in the
  IEEE 802.11 security mechanisms
• Man-in-the-middle attacks and denial of service
  attacks (DoS) can be used to attack wireless
  networks